diff --git a/project/__init__.py b/project/__init__.py
index 4dea175..b3f3f1d 100644
--- a/project/__init__.py
+++ b/project/__init__.py
@@ -29,6 +29,14 @@ app.config["SECURITY_EMAIL_SENDER"] = os.getenv("MAIL_DEFAULT_SENDER")
 app.config["LANGUAGES"] = ["en", "de"]
 app.config["SERVER_NAME"] = os.getenv("SERVER_NAME")
 
+# Proxy handling
+if os.getenv("PREFERRED_URL_SCHEME"):  # pragma: no cover
+    app.config["PREFERRED_URL_SCHEME"] = os.getenv("PREFERRED_URL_SCHEME")
+
+from project.reverse_proxied import ReverseProxied
+
+app.wsgi_app = ReverseProxied(app.wsgi_app)
+
 # Generate a nice key using secrets.token_urlsafe()
 app.config["SECRET_KEY"] = os.environ.get(
     "SECRET_KEY", "pf9Wkove4IKEAXvy-cQkeDPhv9Cb3Ag-wyJILbq_dFw"
diff --git a/project/reverse_proxied.py b/project/reverse_proxied.py
new file mode 100644
index 0000000..c8b6be7
--- /dev/null
+++ b/project/reverse_proxied.py
@@ -0,0 +1,14 @@
+from project import app
+
+
+class ReverseProxied(object):
+    def __init__(self, app):
+        self.app = app
+
+    def __call__(self, environ, start_response):
+        # if one of x_forwarded or preferred_url is https, prefer it.
+        forwarded_scheme = environ.get("HTTP_X_FORWARDED_PROTO", None)
+        preferred_scheme = app.config.get("PREFERRED_URL_SCHEME", None)
+        if "https" in [forwarded_scheme, preferred_scheme]:  # pragma: no cover
+            environ["wsgi.url_scheme"] = "https"
+        return self.app(environ, start_response)